Preventing SQL Injection through Automatic Query Sanitization with ASSIST

Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

Automated removal of cross site scripting vulnerabilities in web applications

Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects

Hybrid Taint Analysis for Vulnerability Detection of XSS & SQL Injection in Django

Στην παρούσα πτυχιακή εργασία υλοποιούμε έναν επόπτη εκτέλεσης (execution monitor) που συνδυάζει Υβριδική Ανάλυση και Συντακτική Ανάλυση πλευράς Διακομιστή προκειμένου να ανακαλύψουμε ευπάθειες XSS σε template rendering, ευπάθειες XSS σε απλές αποκρίσεις HTTP και πιθανά SQL injections σε ακατέργαστα ερωτήματα SQL σε διαδικτυακές εφαρμογές Django. Παρατηρείται ότι πολλές βιομηχανικές λύσεις εφαρμόζουν αυτο-απολύμανση χωρίς ευαισθησία περιβάλλοντος (context-insensitive auto-sanitization) ως κύρια στρατηγική άμυνας. Ωστόσο, αυτό παρέχει μια λανθασμένη αίσθηση ασφάλειας, καθώς τα μη αξιόπιστα δεδομένα πρέπει να απολυμανθούν διαφορετικά με βάση το περιβάλλον τους (browser context). Επομένως, η αναγκαιότητα ελέγχου context-sensitive ευπαθειών είναι έκδηλη. Επιπλέον, πρέπει να δοθεί μέριμνα τόσο σε απλές αποκρίσεις HTTP καθώς δεν υπάρχει αντίστοιχη πολιτική auto-sanitization όσο και σε ακατέργαστα επερωτήματα SQL (raw SQL queries) που χρησιμοποιούνται όταν το Django ORM αποδεικνύεται ανεπαρκές. Παρέχουμε ένα εργαλείο ανάλυσης μέσω μιας βιβλιοθήκης εξ ολοκλήρου γραμμένης σε Python με βάση την προσέγγιση των Conti & Russo [2], αργότερα υιοθετηθείσα από τους Steinhauser & Tůma [1]. Δεν απαιτούνται τροποποιήσεις στον διερμηνέα. Επιστρατεύουμε Python decorators προκειμένου να ανακοπούν οι πηγές εισαγωγής ευαίσθητων δεδομένων (taint sources), οι καταβόθρες που καταλήγουν τα δεδομένα (taint sinks), οι απολυμαντές (sanitizers) και οι συντακτικοί αναλυτές (parsers) κατά την εκτέλεση της εφαρμόγης. Ένας decorator είναι μια μορφή μετα-προγραμματισμού που επιστρέπει στον προγραμματιστή να επεκτείνει τη λειτουργικότητα υπάρχοντος κώδικα κατά τον χρόνο εκτέλεσης. Χρησιμοποιώντας δυναμική ανάλυση εποπτεύουμε τη ροή πληροφοριών κατά το χρόνο εκτέλεσης και καταγράφουμε όλους τους εφαρμοσθέντες απολυμαντές. Μια ευπάθεια αναφέρεται αμέσως αν τα μολυσμένα δεδομένα έχουν φθάσει σε μια απλή απόκριση HTTP ή σε ένα raw SQL query. Ωστόσο, αν μολυσμένα δεδομένα έχουν φτάσει σε ένα Django template καλούμε τον συνακτικό αναλυτή πλευράς διακομιστή. Αναλυτικότερα, καλούμε τις λειτουργικές μονάδες Model Browser & Sanitization Verifier, προσδιορίζουμε το browser context των μολυσμένων μεταβλητών και επαληθεύουμε τα αποτελέσματα. Στην προσπάθεια μας ανακαλύψαμε ένα ζήτημα στην προσέγγιση των Conti & Russo. Σε ορισμένες περιπτώσεις, η προσημείωση μολυσματικότητας των δεδομένων (taintedeness) μπορεί να ανακληθεί καθώς οι μολυσμένες πληροφορίες ρέουν από μια πηγή προς μια καταβόθρα. Ως αποτέλεσμα, δεδομένα χαρακτηρισμένα ως μη μολυσμένα θα φτάσουν στο καταβόθρα και δεν θα αναφερθεί καμία ευπάθεια παρόλο που μπορεί να υπάρχει. Για την αντιμετώπιση του προβλήματος, εισάγουμε μια νέα προσαρμοσμένη έκδοση στατικής ανάλυσης που δημιουργεί ένα Abstract Syntax Tree (AST) ενός αρχείου κώδικα και το αναλύει γραμμή γραμμή. Σύμφωνα με το θεώρημα του Rice, η στατική ανάλυση είναι μη επιλύσιμη οπότε συμβιβαζόμαστε μεταξύ ακρίβειας και μη επιλυσιμότητας και χρησιμοποιούμε επιλύσιμες κατά προσέγγιση απαντήσεις. Τελικώς, αναπόφευκτα η στατική ανάλυση τείνει εγγενώς να παρουσιάζει κάποια ψευδώς θετικά αποτελέσματα. Εντούτοις, βασιζόμενοι στα τεστ και τα σενάριο που διεξήγαμε, υποστηρίζουμε ότι το εργαλείο μας αναφέρει επιτυχώς την πλειόνοτητα των ευπαθειών.In this thesis, we implement an execution monitor which combines hybrid (dynamic & static) taint analysis and server-side parsing in order to discover context-sensitive XSS flaws in template rendering, context-insensitive XSS flaws in simple HTTP responses and potential SQL injection in raw SQL queries in Django web applications. It is observed that many industry solutions implement context-insensitive auto-sanitization as a main defense strategy. However, this provides a false sense of security, since untrusted data need to be sanitized differently based on their browser context. Therefore, the necessity for control over context-sensitive flaws is strikingly evident. Moreover, Django has no auto-sanitization policy regarding simple HTTP responses and, consequently, it is indisputable that attention has to be given also to simple HTTP responses. Last, raw SQL queries are often used when Django Object-Relational Mapper (ORM) is proved not enough. Thus, this might pose a security risk if not handled correctly. We provide an analysis tool via a library entirely written in Python based on the approach presented by Conti & Russo [2] and later adopted by Steinhauser & Tůma [1]. No modifications in the interpreter are needed. To do so, we conscript Python decorators to intercept the taint sources, taint sinks, sanitizers and parsers at runtime. A Decorator is a Python feature, a form of meta-programming thats allows the developer to extend the functionality of existing code at runtime without permanently modifying it. Using dynamic taint analysis, we monitor the information flow during execution time and record all sanitizers applied. A security flaw is reported immediately when tainted data reach a simple HTTP response or a raw SQL query. However, if tainted data are passed to a Django template we invoke the server-side parser. We mark these data with an annotation inside the template and we invoke the Model Browser & Sanitization Verifier modules. Model browser parses the HTTP response produced in the server-side to determine the browser context of tainted values. Sanitization Verifier validates the discovered sanitization sequences and browser context sequences. In the effort to deploy the taint analysis library we discovered an issue in the approach of Conti & Russo. In some cases, taintedeness of data can be revoked as tainted information flows from a taint source to a taint sink. As a result, untainted data will reach the taint sink and, therefore, no flaw will be reported even though it might exist. To tackle this problem, we introduce a new customised version of static taint analysis that builds an Abstract Syntax Tree (AST) of a target code file and, beginning from the taint source line, it parses the code line by line until it reaches the end of local scope or a return call. According to Rice’s theorem, static analysis is undecidable, so we make a compromise between precision and decidability. We use approximate answers and we consider a list of assumptions. At the end, inevitably, static taint analysis inherently tends to present some False Positives. Nevertheless, based on the test cases and senarios we have conducted, we argue that our tool successfully reports the majority of security flaws

pDroid

When an end user attempts to download an app on the Google Play Store they receive two related items that can be used to assess the potential threats of an application, the list of permissions used by the application and the textual description of the application. However, this raises several concerns. First, applications tend to use more permissions than they need and end users are not tech-savvy enough to fully understand the security risks. Therefore, it is challenging to assess the threats of an application fully by only seeing the permissions. On the other hand, most textual descriptions do not clearly define why they need a particular permission. These two issues conjoined make it difficult for end users to accurately assess the security threats of an application. This has lead to a demand for a framework that can accurately determine if a textual description adequately describes the actual behavior of an application. In this Master Thesis, we present pDroid (short for privateDroid), a market-independent framework that can compare an Android application’s textual description to its internal behavior. We evaluated pDroid using 1562 benign apps and 243 malware samples, and pDroid correctly classified 91.4% of malware with a false positive rate of 4.9%

25 Million Flows Later - Large-scale Detection of DOM-based XSS

In recent years, the Web witnessed a move towards sophis- ticated client-side functionality. This shift caused a signifi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnera- bilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, show- ing that 9,6% of the examined sites carry at least one DOM- based XSS problem

Important Factors to Remember when Constructing a Cross-site Scripting Prevention Mechanism

Web application has become an essential part of daily activities to provide easy accessibility that ensures better performance. It is a platform where sensitive information such as username, password, credit card details, operating system and software version etc. is stored that attracts intruders to generate most of their attacks. Intruders can steal valuable data by compromising web application security flaws; Cross Site Scripting (XSS) vulnerability is one of these. Several studies have been conducted in order to prevent the XSS vulnerability. In this research, we searched Scopus Indexed articles published in the last 11 years (between 2008 and 2020) using two keywords (“XSS Attack Prevention” and “XSS Prevention”). The purpose of this study was to conduct a literature review on XSS prevention techniques e.g. strengths and weaknesses, including structural issues and real-time deployment location in order to extract valuable information. This review identified 14 articles among the 25 selected articles that provided various suitable prevention techniques for XSS attacks. Seven articles are based on tools that have been implemented and take into account design, coding, testing, and integrating validation processes, six articles are about server site solutions, and one is about automatic mitigation solutions. As a result, this research will be invaluable in guiding the advancement of XSS prevention techniques